Summary

Symantec Network Protection products using affected SSL/TLS server implementations and RSA key exchange are susceptible to a variation of the Bleichenbacher adaptive chosen ciphertext attack. A remote attacker, who has captured a pre-recorded encrypted SSL session to the target, can establish a large number of crafted SSL connections to the target and obtain the session keys required to decrypt the pre-recorded SSL session.

Affected Products

IntelligenceCenter (IC)

CVE

Affected Version(s)

Remediation

All CVEs

3.3

Not available at this time.

SSL Visibility (SSLV)

CVE

Affected Version(s)

Remediation

All CVEs

4.0 and later

Not vulnerable

3.12

Upgrade to 3.12.2.1.

3.11

Upgrade to later release with fixes.

3.10

Upgrade to 3.10.4.1.

3.8.4FC

Upgrade to later release with fixes.

Additional Product Information

SSLV is only vulnerable when intercepting SSL/TLS traffic that uses RSA key exchange.

Issues

In the original Bleichenbacher attack, a remote attacker, who has recorded or obtained a pre-recorded encrypted SSL session, can exploit the padding oracle flaw in an SSL/TLS server by establishing a large number of crafted SSL connections. With each connection, the server leaks a small amount of information about the original secret in the pre-recorded session. After approximately one million crafted connections to the server, the Bleichenbacher attacker can recover the original secret, compute the session keys and decrypt the encrypted data exchanged during the pre-recorded session.

The ROBOT attack is a new variation of the Bleichenbacker attack that uses modified attack vectors to discover padding oracles in SSL server implementations. The ROBOT attack classifies padding oracles as follows:

A "strong oracle" leaks sufficient information per crafted SSL connection to allow recovering the pre-recorded SSL session's keys with the same efficiency as the original Bleichenbacher attack (approximately one million crafted connections).

A "weak oracle" does not leak sufficient information per crafted SSL connection and requires multiple millions of crafted connections to recover the session keys for a single pre-recorded SSL session. ROBOT attacks against weak oracles are considered impractical.